The "AC FNMT Usuarios” intermediate operated by the Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) issues certificates that are not BR-compliant. This was acknowledged during the FNMT root inclusion request discussion and allowed as long as the intermediate "never issues TLS/SSL certificates”[0].
Recently, some certificates issued from this intermediate were logged to CT, so we can see what they look like[1]. While they do not contain dnsName SANs, they do contain the anyExtendedKeyUsage EKU which makes them technically usable for TLS server authentication and in scope for the Mozilla Root Store Policy. Additionally, I was able to find one of these certificates[2] served from a TLS server in Censys[3]. This is information that does not appear to have been available at the time of the root inclusion discussion last year, so I thought I’d point it out. Jonathan [0] https://groups.google.com/d/msg/mozilla.dev.security.policy/7wIZmwp4qGQ/wRQgVVz2CQAJ [1] https://crt.sh/?Identity=%25&iCAID=6664 [2] https://crt.sh/?opt=cablint&id=145250473 [3] https://censys.io/ipv4/213.96.188.218 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy